Merge pull request #92 from grafana/use_secret_for_minio

Use a secret for the Minio access

charts/meta-monitoring/templates/ruler/ruler.yaml

@@ -49,6 +49,9 @@ spec:
             - containerPort: 7946
               name: memberlist
               protocol: TCP
+          envFrom:
+          - secretRef:
+             name: mmc-minio
           readinessProbe:
             failureThreshold: 3
             httpGet:

charts/meta-monitoring/values.yaml

@@ -229,9 +229,9 @@ loki:
       common:
         storage:
           s3:
-            access_key_id: "{{ .Values.global.minio.rootUser }}"
+            access_key_id: "${rootUser}"
             endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-            secret_access_key: "{{ .Values.global.minio.rootPassword }}"
+            secret_access_key: "${rootPassword}"
       compactor:
         retention_enabled: true
         delete_request_store: s3
@@ -254,8 +254,24 @@ loki:
         installOperator: false
     lokiCanary:
       enabled: false
-  test:
+  write:
-    enabled: false
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  read:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  backend:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
 
 alloy:
   alloy:
@@ -292,30 +308,31 @@ alloy:
 mimir-distributed:
   minio:
     enabled: false
+  global:
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
   mimir:
     structuredConfig:
       alertmanager_storage:
         s3:
           bucket_name: mimir-ruler
-          access_key_id: "{{ .Values.global.minio.rootUser }}"
-          endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-          secret_access_key: "{{ .Values.global.minio.rootPassword }}"
-          insecure: true
       blocks_storage:
         backend: s3
         s3:
           bucket_name: mimir-tsdb
-          access_key_id: "{{ .Values.global.minio.rootUser }}"
-          endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-          secret_access_key: "{{ .Values.global.minio.rootPassword }}"
-          insecure: true
       ruler_storage:
         s3:
           bucket_name: mimir-ruler
-          access_key_id: "{{ .Values.global.minio.rootUser }}"
+      common:
-          endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
+        storage:
-          secret_access_key: "{{ .Values.global.minio.rootPassword }}"
+          backend: s3
-          insecure: true
+          s3:
+            bucket_name: mimir-ruler
+            access_key_id: "${rootUser}"
+            endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
+            secret_access_key: "${rootPassword}"
+            insecure: true
       limits:
         compactor_blocks_retention_period: 30d
 
@@ -328,12 +345,39 @@ tempo-distributed:
           s3:
             bucket: tempo
             endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-            access_key: "{{ .Values.global.minio.rootUser }}"
+            access_key: "${rootUser}"
-            secret_key: "{{ .Values.global.minio.rootPassword }}"
+            secret_key: "${rootPassword}"
             insecure: true
-      compactor:
+  distributor:
-        compaction:
+    extraArgs:
-          block_retention: 30d
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  ingester:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  compactor:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  querier:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  queryFrontend:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
   traces:
     otlp:
       http:
@@ -342,8 +386,7 @@ tempo-distributed:
         enabled: true
 
 minio:
-  rootUser: rootuser
+  existingSecret: "minio"
-  rootPassword: rootpassword
   buckets:
     - name: loki-chunks
       policy: none

docs/installation.md

@@ -25,17 +25,17 @@
    ```
    kubectl create secret generic logs -n meta \
     --from-literal=username=<logs username> \
-    --from-literal=password=<token>
+    --from-literal=password=<token> \
     --from-literal=endpoint='https://logs-prod-us-central1.grafana.net/loki/api/v1/push'
 
    kubectl create secret generic metrics -n meta \
     --from-literal=username=<metrics username> \
-    --from-literal=password=<token>
+    --from-literal=password=<token> \
     --from-literal=endpoint='https://prometheus-us-central1.grafana.net/api/prom/push'
 
    kubectl create secret generic traces -n meta \
     --from-literal=username=<OTLP instance ID> \
-    --from-literal=password=<token>
+    --from-literal=password=<token> \
     --from-literal=endpoint='https://otlp-gateway-prod-us-east-0.grafana.net/otlp'
    ```
 
@@ -67,6 +67,14 @@
    kubectl create namespace meta
    ```
 
+1. Create a secret with the user and password for the local Minio:
+
+   ```
+   kubectl create secret generic minio -n meta \
+    --from-literal=rootPassword=<password> \
+    --from-literal=rootUser=<user>
+   ```
+
 1. Create a values.yaml file based on the [default one](../charts/meta-monitoring/values.yaml). An example minimal values.yaml looks like this:
 
    ```